Symfony2 simple .htaccess password protect for dev purpose - .htaccess

I would like to use a .htaccess file to protect my symfony2 website while developing it.
I added the following line at the beginning of my .htaccess located in /web and a .htpasswd file just next with my password.
AuthName "Développement"
AuthType Basic
AuthUserFile ".htpasswd"
Require valid-user
I have a Error 500 when I try to access my website. Is it possible to use a htaccess in my case ? What should I use if it is not posible ?

Assuming the 500 error is caused by these directives, the most likely reason is the path to .htpasswd. AuthUserFile says
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
So either use an absolute path (e.g. /var/www/.htpasswd) or add the complete path starting from your document root (e.g. web/.htpasswd).
Also note the last section in AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
This means, store the auth file somewhere else, like /etc/apache2/htpasswd.

Related

htaccess file references going to /etc/apache2, trying to change to relative

I have the following in my .htaccess file:
AuthType Basic
AuthName "Secured"
AuthUserFile ../private/passwd
Require valid-user
Order allow,deny
Allow from env=unauthenticated
Satisfy any
The problem from the error.log is that Apache is saying "Could not open password file: /etc/apache2/passwd" - which is obviously my Apache root.
How would I specify a relative reference to the .htaccess file for a path instead?
And probably very important, can this be done in the .htaccess file only?
If so, answering question #2 would make the solution much more portable.
Doc: AuthUserFile
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
So I assume that your server root is in /etc/apache2/ so your relative URL: ./passwd will be relative to the root, and not where your htaccess file is at. Thus, it's not possible to make it portable and relative to where you place the htaccess.
Additionally, the documentation also says:
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
So it's a bad idea to keep your password file in the same place that you serve your content.

AuthUserFile in htaccess can be url?

i have this htaccess :
AuthType Basic
AuthName " Vip User Only
AuthBasicProvider file
AuthUserFile c:\inetpub\htpasswd
Require valid-user
<FilesMatch ".(jpg|gif|png|tiff|jpeg|html)$">
Allow from any
Satisfy any
</FilesMatch>
i want to remotely read htpasswd from another server ?
e.g : this htpasswd is in Server A and i want too use htaccess in Server B with Server A's htpasswd !
is this possible ?
See the documentation of AuthUserFile
File-path is the path to the user file.
There's no mention of URI anywhere. To the contrary, it advises (rightly!) to make the file inaccessible from the web
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
Otherwise anybody could download the file, and crack all your passwords.

CakePHP: How to allow password access to one directory with .htaccess

In my CakePHP app, I have a directory of files which I want to allow direct access to with a username/password. For reasons that are overly complicated, placing the directory inside the /webroot folder is not an option. My folder is located here:
/app/parent_folder/folder_full_of_files
So I want to be able to access files directly like this:
http://mysite.com/app/parent_folder/folder_full_of_files/some_file.pdf
I think I need to modify the .htaccess file in the root, and also add another .htaccess file and .htpasswd file in the folder_full_of_files
I have already found this post which asks a similar question... but I can't translate it to my application.
How do I need to modify the root .htaccess file?
What should be in the new .htaccess file. Here's what I've tried, but just results in 500 error...
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/app/parent_folder/folder_full_of_files/.htpasswd
require valid-user
What is the correct way to encrypt the password in the .htaccess file?
I got this to work. I had to do a couple things...
I added this to the .htaccess file in root:
RewriteCond %{REQUEST_URI} !^/app/parent_folder/folder_full_of_files
As #Jon pointed out, my original version above had a mistake ([L]).
I also have an .htaccess file in my /app directory. This might be a quirk about my installation because it is not 100% standard. I can't remember if it's there by default, so I'm mentioning it just in case. IF you don't have one in /app skip this step.
I added this to an .htaccess file in the /folder_full_of_files:
AuthType Basic
AuthName "restricted area"
AuthUserFile /bla/bla/mysite/.htpasswd
require valid-user
Make sure the path after AuthUserFile is a fully-qualified path to the .htpasswd file (see next step).
Create the actual .htpasswd file. It's not supposed to be under the document root, but mine is. I think the most important thing is that it's not inside /webroot. I used this command from the terminal and it created the file:
htpasswd -c /path/where/it/should/go/.htpasswd whatever_username
It asks for a plain text password which gets encrypted and written into the file.
That's it. One annoying "gotcha" is that the path in the .htaccess to the auth file must be absolute, which means it will probably have to be edited when moving between local testing and production (unless the two environments are exactly the same). It would be less clunky if relative paths were allowed.
You don't need to modify the htaccess file in your document root at all
Make sure you have AllowOverride AuthConfig or AllowOverride All configured for your /app/parent_folder/folder_full_of_files/ directory. Make sure that the directory also has a properly generated htpasswd file (named .htpasswd). You need to use the htpasswd program to generate it, or any number of online generators.

.htpasswd and .htaccess - internal server error

I want to password protect my website, but as soon as I add in the .htpasswd and .htaccess files I get a server error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Here is the code I'm using:
.htaccess
AuthType Basic
AuthName "Top Secret for SongKick eyes only."
AuthUserFile /webroot/.htpasswd
require valid-user
.htpasswd
songkick:isS1rCTQE/p8E
I've also tried AuthUserFile /.htpasswd (ie. without "webroot", which is the name of the folder it appears to be in File Manager) but this doesn't work either.
I'm using GoDaddy hosting by the way, if that makes a difference.
According to AuthUserFile, you must supply the complete path to your password file, not the relative path from DocumentRoot, if it is absolute (i.e. starting with a slash).
The AuthUserFile directive sets the name of a textual file containing the list of users and passwords for user authentication. File-path is the path to the user file. If it is not absolute, it is treated as relative to the ServerRoot.
Note that ServerRoot is not DocumentRoot.
If DocumentRoot is /var/www and the password file is /var/www/webroot/.htpasswd, you must say
AuthUserFile /var/www/webroot/.htpasswd
in your .htaccess file.
You can find out about the absolute path with a small PHP script, e.g.
<?php
echo "Absolute path: ", getcwd();
Put this in the directory, where you want to locate the .htpasswd file, and call it with http://www.example.com/path/to/test.php
Don't forget to remove the script, when you're done.
Said that, you shouldn't put your password file anywhere accessible in your DocumentRoot. Better put it in some place not accessible from the web, i.e. /etc/apache2/htpasswd or wherever it suits you.
Two things come to mind.
Is .htpasswd readable by the web server user?
Do you know if Apache is set with AllowOverride all to allow .htaccess to operate as intended?
All of the standard answers (full path, correct format, etc) weren't working for me. After a lot of tracking down I found that the permissions on the parent folder were insufficient, so even though the path in .htaccess was correct and the permissions on the file were rw-r-r, still no go because the parent was rwx-rw--. That can be tough to track down on a host that limits access to up stream folders.
Major reason of this error is the "AuthUserFile" path. I was having this same issue and i solved it by going in cpanel. By protecting your folder in cPanel, it automatically detects the htpasswd file.
Go to cPanel->Password Protect Directories->Define directory and then create a user. Hope this help you.
The APache has a bug it is reported here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=54735
You have to set password like this:
htpasswd -nb username newpassw > <path-to>/htpasswd
Simillar problem here:
Apache 2.4 "..authentication failure..:Password Mismatch"

problem protecting a directory using .htaccess

I have created a .htaccess and .htpasswd files, and stored them in the folder I want to protect and when I navigated to that folder, I was asked for the username and passowrd (stored in the .htpasswd file) after entering the username and password, I got a 500 Internal server error. I have used the files on both localhost (windows) and on a web server (linux I guess) both gave the same result mentioned.
this is my .htaccess file:
<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user
order deny,allow
I doubt that your .htpasswd file is really located at the very root of the server's filesystem along with /bin, /usr, /home, and others (rather than inside the part of the filesystem served to web browsers).
According to Apache documentation (1, 2), AuthUserFile expects a file path (as if you were in ServerRoot, usually /usr/apache or similar, and trying to locate the file from the Unix shell). It cannot be a URL, either absolute or relative. Correct your .htpasswd file path accordingly.
Note that if possible, you shouldn't put the .htpasswd file inside a public_html or htdocs folder, because any configuration error could not only allow unauthorized access to the files you want to protect but also the authorized usernames and hashed passwords.
Use an absolute hosting path, eg:
/home/content/14/5267714/html/.htpasswd

Resources